You can enable a policy that requires users (with certain roles) to regularly change their passwords.
For example, administrator accounts can be required to change their passwords at least every 90 days.
WP Admin Audit will also send out notifications in advance to let the user know that a mandatory password change is coming up.
Should the user fail to change the password before the time period is up, the user can only login again after changing (and/or resetting) the password.
Here is how you set this up for your WordPress users.
Enable password change policy
In this example, we want Administrator accounts to change their passwords at least every 90 days.
- Open the settings in WP Admin Audit
- Select the “User accounts” tab
- Enable the checkbox to enforce periodic password changes
- Define how often the password needs to be changed. Provide as the number of days.
In our example, we want passwords to be at least changed every 90 days. - Select all user roles in scope for the password policy.
In our example, we choose WordPress’ Administrator user role. You can of course also choose multiple roles here. - Now select the notifications to be sent prior to the password expiring.
This warns the user of the soon-to-expire password.
In our example, we send up to three notifications: 30, 7, and one day ahead. - Make sure to save the settings
Check the date of the last password change
While enforcement of periodic password changes is great tool to implement a respective IT-security policy, you may choose to also do manual audits of WordPress user and admin accounts. This is where the User Audit view of the user details is very helpful.